This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
NOTE: This You are looking at documentation for an older release. For the latest information, see the current release documentation.
Filter and enhance the exported data
editFilter and enhance the exported data
editYour use case might require only a subset of the data exported by Journalbeat, or you might need to enhance the exported data (for example, by adding metadata). Journalbeat provides a couple of options for filtering and enhancing exported data.
You can configure Journalbeat to include events that match specific filtering
criteria. To do this, use the include_matches
option. The advantage of this approach is that you can reduce the number of
fields that Journalbeat needs to process.
Another approach (the one described here) is to define processors to configure global processing across all data exported by Journalbeat.
Processors
editYou can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Journalbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...